(Note: I'm the person that coined the term "Log4Shell")
You may be surprised when I tell you what the Apache Software foundation's yearly budget is. You'd think for software that is used by practically every Fortune 500 company and most governments, it would be something reasonable. Maybe a few hundred million dollars a year to pay for a reasonable full-time staff, right?
It turns out... it's about $2 million a year. (Wikipedia[0])
This helps explain to me why the devs of Log4j directly uploaded the file "JNDIExploit.java" (the POC) to GitHub while they were patching. (Here is a full analysis about what happened[1].)
They're not security people. They're volunteers working on this in addition to their full-time job.
What kind of brave soul wants to trudge through and maintain log4j in their spare time for zero compensation? I appreciate the people that are capable of doing that, but I think they are rare!
This whole entire vulnerability was eye opening for everybody and I have actually spent the last year building tooling on GitHub to help fix the problems that Log4Shell exposed.
If you have 2 seconds to try that out or just Star the repo[2], it would be very helpful!
0: Log4j revenue https://en.wikipedia.org/wiki/The_Apache_Software_Foundation
1: "How to Discuss and Fix Vulnerabilities in Open Source" https://www.lunasec.io/docs/blog/how-to-mitigate-open-source...
2: GitHub project building better dependency patching tools https://github.com/lunasec-io/lunasec
> What kind of brave soul wants to trudge through and maintain _____ for zero compensation?
Can't this sentence be changed for almost any open source project?
Compare that to something like Bun.js[0] which is "sexy" and written in a "cool" programming language (Zig). Or Wasp[1] which is built with Haskell and is trying to define a new programming language designed to make common dev patterns less painful.
Those projects are naturally going to soak up smart people that have extra energy to share because they hate their day job but need to pay their bills. (imo)
Who is left that wants to bang their head against a legacy codebase like Log4j? Maybe somebody that feels there is "clout" to be had from it? (Spitballing here, I honestly don't know!)